Date: Fri, 29 May 2015 15:21:02 +0100 From: "Sevan / Venture37" <venture37@gmail.com> To: Bryan Drewery <bdrewery@freebsd.org> Cc: Roger Marquis <marquis@roble.com>, Mark Felder <feld@freebsd.org>, freebsd-ports@freebsd.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Message-ID: <CA%2BU3Mf58OSjNP6H45nCyXc%2BHLCAtu6b6fLkoBSBjCP=pLFkgHg@mail.gmail.com> In-Reply-To: <556746A4.4090208@FreeBSD.org> References: <alpine.BSF.2.11.1505171402430.52815@eboyr.pbz> <20150523153029.B7BD3280@hub.freebsd.org> <1432659389.3130746.278522905.6D1E6549@webmail.messagingengine.com> <20150527174037.EF719B11@hub.freebsd.org> <556746A4.4090208@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28 May 2015 at 17:47, Bryan Drewery <bdrewery@freebsd.org> wrote: > I think the VUXML database needs to be simpler to contribute to. Only a > handful of committers feel comfortable touching the file. We have also > had the wrong pervasive mentality by committers and users that the vuxml > database should only have an entry if there is a committed fix. This is > totally wrong. These CVE are _already public_ in all of these cases. > Users deserve to know that there is a known issue with a package they > have installed. I can understand how the mentality grew to what it is > with some people, but the fact that there is not an update doesn't > change that the user's system is insecure and needs to be dealt with. If > the tool can't reliably report issues then it is not worth trusting. > TL;DR; the file needs to be simpler. I know there is an effort to use > CPE but I'm not too familiar with where it is going. May a I suggest a more pragmatic format of package+version, type of issue, url for further info. > The RedHat security team and reporting is very impressive. Don't forget > that they are a funded company though. Perhaps the FreeBSD Foundation > needs to fund a fulltime security officer that is devoted to both Ports > and Src. Just the Ports piece is easily a fulltime job. There seems to be a lot of eyes on the ports-bugs@ list from the community, a heads up about vulnerabilities via the bug tracker may help in the meantime? Sevan / Venture37
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BU3Mf58OSjNP6H45nCyXc%2BHLCAtu6b6fLkoBSBjCP=pLFkgHg>